OWASP TOP 10 in 2021
This page contains a glossary of the OWASP TOP 10 application security risks and serves as a navigation guide through the most widespread vulnerabilities in modern web applications and APIs:
OWASP A1 (Injection) covers diversified injection vulnerabilities and security flaws including SQL and NoSQL injections, OS command injection and LDAP query manipulations. Injection vulnerabilities are usually caused by improper or insufficient input validation by the web application. Injections allow remote attackers to inject, alter or execute arbitrary code, SQL queries or commands on the vulnerable system, leading to data exfiltration, website and even entire web server breach. Read more about injections.
A2. Broken Authentication
OWASP A2 (Broken Authentication) security vulnerabilities are related to insufficient authentication or incorrect session management by the web application. Remote attacker might be able to bypass poorly implemented authentication validation process to gain unauthorized or excessive access to the web application or impersonate other application’s users. Under certain conditions, broken authentication may lead to compromise of the web server and the related infrastructure such as databases or connected cloud storage. Read more about broken authentications.
A3. Sensitive Data Exposure
OWASP A3 (Sensitive Data Exposure) security flaws commonly from flawed web application’s architecture or various application logic errors. Sensitive data exposure, as its name suggests, often leads to disclosure of personal data, financial information, healthcare records or other regulated data. Likewise, compromised data can be exploited against web application users in phishing attacks, identity theft and social engeneering campaigns. Read more about sensitive data exposures.
A4. XML External Entities
OWASP A4 (XML External Entities) is mostly represented by XXE attacks that occur in web applications designed to handle or process XML documents. Though this fairly sophisticated vulnerability may be quite time-consuming to exploit, in case of success, the attacker will be able to disclose sensitive information, view system files, connect to internal web server’s resources and even execute arbitrary code on the vulnerable system to eventually compromise the web server or cloud instance where the application is hosted. Read more about XML external entities.
A5. Broken Access Control
OWASP A5 (Broken Access Control) include improper, weak or otherwise flawed access restrictions and privilege management errors that may allow remote attacker to gain access to restricted resources of the web application or of its environment. This business-logic vulnerability frequently occurs in insecure implementations of RESTful APIs and HTTP/S microservices, where an unprivileged user can gain access to the data or functionality intended for other application users or for privileged users only. Read more about broken access controls.
A6. Security Misconfiguration
OWASP A6 (Security Misconfiguration) security weaknesses are mostly about erroneous or insecure configuration of web application and its environment. In case of successful exploitation, combined with other security vulnerabilities from the OWASP Top Ten list, security misconfigurations may cause a considerable damage and disastrous data breaches. For instance, the attacker may be able to bypass security restrictions, gain unauthorized admin access to the system and eventually compromise the web application and web server environment. Read more about security misconfigurations.
A7. Cross-Site Scripting
A8. Insecure Deserialization
OWASP A8 (Insecure Deserialization) vulnerability is fairly complex to exploit and is comparatively time-consuming and thus infrequent to find in web applications. Nonetheless, popular WordPress CMS and its countless plugins were vulnerable to critical RCE vulnerabilities via PHP deserialization attacks. Non-sanitized deserialization of untrusted data, received from remote attacker, often leads to remote code execution (RCE) on the vulnerable system. Other attack vectors are also possible, such as exploitation of injection flaws, elevation of privileges within the application or replay attacks. Read more about insecure decentralization.
A9. Using Components with Known Vulnerabilities
A10. Insufficient Logging and Monitoring
OWASP A10 (Insufficient Logging and Monitoring) is the last element of the OWASP Top 10 list. Timely detection of malicious activities and attacks is essential for modern cyber defenders and includes proper logging of security events, timely reaction to incidents and protection of security logs from tampering or deletion. This can be achieved by implementing holistic and centralized logging for web applications and meticulous monitoring and inspection of anomalous or suspicious HTTP requests or user behavior patterns. Known web attack patterns, spanning from primitive password bruteforcing to seemingly legitimate HTTP requests sent from IP addresses known to participate in hacking campaigns, should be all logged and investigated by the Blue Team or SOC analysts. Read more about insufficient logging and monitoring.